We have a fairly standard home networking setup – a DSL modem, a wireless router, and a hub distributing 100BaseT to some RJ-45 sockets scattered about the house. The modem and the router both have firewalls and web interfaces to them, but neither of them are very versatile. For example, one thing they can’t do is log traffic on a per-IP basis, so when we start using 500Mbytes/day they can’t tell me which machine in the house it is coming from. We have a bandwidth cap, above which our ISP chops us back to 64Kbits up and down, so that can be important. Nor can the DSL modem firewall send mail to me logging firewall rejects, so sometimes when something doesn’t work it can be difficult to tell whether its the PC, the firewall, or something broken in the outside world. A proper firewall can do all these things and a lot more, as I know from running an OpenBSD-based firewall for my employer for the last ten years. And the firewalls in DSL modems don’t have such a great reputation for security. Holes have been found in some. Our modem has an additional peculiarity; it insists on running a DNS cache and providing its own address as a DNS server to local machines. Unfortunately the cache isn’t all that great and falls over every two or three days. The only solution is to turn the modem off and on, which is a bit vexing.
So that was one reason to look at installing a separate stand-alone machine to act as a firewall. The other was Zoneminder. Zoneminder is another piece of security software, but of a different kind altogether. It does motion detection on video cameras attached to the PC, analyses the results, and records them. And it does it very well indeed. Its free, open source software that runs under Linux. I try not to be paranoid about crime, and burglary isn’t very common in New Zealand, but when I was in my twenties our family home was burgled and my fathers extensive stamp collection stolen. About six months later the police arrested the two men responsible and recovered much of the collection, but that was mostly due to a piece of good luck and some clever detective work by a small-town constable. Initially the police had no leads at all, because although the burglary was in broad daylight, no-one saw the thieves, or remembered them if they did. So I have always thought that a camera that automatically recorded everything that passed in and out of the house would be a good idea. Systems to do this have always been available, but anything to do with video security seems to cost the earth. Zoneminder does not.
Running a combined router/firewall/security camera system under Linux is a Bit Technical, but as I hope to show it wasn’t that difficult, and it expanded beyond that quite easily. I’m by no means a Linux expert, or even an experienced user. I do have some background in Unix system administration, but it has never been my main job. Selecting a Linux distribution to use was made easy by a brief experience I had earlier in the year with our Japanese exchange student. He needed a machine to do web browsing and mail on. In Japanese would be nice. We had an old Athlon XP based machine running Windows 2000, but a brief look at the complexity of installing a Japanese language kit on that put me off. I didn’t want to buy another copy of XP for the purpose, and there were copies of the Ubuntu Feisty Fawn desktop installer about at work. So as an experiment, and expecting problems, given my previous encounters with Linux on the desktop, I tried it. And it worked, largely flawlessly and quite reliably. In Japanese. Or so our student assures me.
The next step was to buy a suitable host machine. Practically anything with two Ethernet ports can be a router and firewall but ZoneMinder needs a bit of CPU grunt and RAM to work in. Comparing umpteen images a second to see if anything has changed requires some resources. For the 3-4 cameras I was thinking of, a 1GHz CPU and 512M of RAM seemed to be a good idea, although its difficult to generalise. On the other hand, the host needed to be as small and as low-power as possible, because it was going to be on all the time and live in a cupboard with no keyboard or screen. I could have built something out of parts, but it would have cost $600-$700 which was too expensive for an experiment. It would be better to recycle on old machine. After some searching on TradeMe (a New Zealand auction site like Ebay), I picked up an old HP Vectra XE310 for $100 plus $30 shipping.
The Vectra is just about ideal for this job. It has 512M of RAM, a 40G hard drive, and a 1.2GHz Pentium III Tualatin in it, which is one of the last Pentium III’s made before the power-hungry Pentium IV NetBurst architecture came along. So the CPU is reasonably quick (about the same as a 1.8GHz PIV) and relatively low-power, about 25W. Because the Vectra is a business machine built by HP, its very solid, excellent documentation is available online, and its almost worthless because it won’t play games and there is no way of making it play games; no AGP slot. But it does have onboard Ethernet and three PCI slots. A cheap Realtek Ethernet card goes in one PCI slot, and a Hauppauge ImpactVCB video capture card in another, and we are done, for a total cost of about $250. Another $200 spent on TradeMe got me a nice second-hand Samsung video camera for indoors, and a “vandal-proof” outdoor dome camera. I spent another $20-$30 on cable and BNC connectors and had some fun installing cables and ducting to appropriate places.
The next step was to install the current Ubuntu server release (Gutsy Gibbon – where do they get these names from?) on the HP Vectra, which meant downloading the .iso image, burning it to a CD, and booting the Vectra from it. The install process asked a few sensible questions (I asked it to install OpenSSH and DNS server software) , and the whole process nearly worked perfectly. The one problem turned out to be a thing called ACPI, which is a standard used to tell the operating system about the power-saving technologies available on the machine, via tables and p-code that lives in the BIOS firmware. ACPI is not a friendly standard – for example, see this rant. Remarks about it being designed by a bunch of monkeys on LSD have been made. Unfortunately the Vectra’s BIOS was written in the early days of ACPI and seems to have broken some of the rules, as far as they can be understood. Ubuntu as provided has difficulties with this, and by the time it gives up trying to understand it has borked the Ethernet ports by misconfiguring their interrupt lines.
I figured out that the Ethernet ports were broken by the fact that one was missing from the output of ifconfig, and by looking at the output of dmesg, which contained agitated remarks like:
[ 45.834622] PCI BIOS passed nonexistent PCI bus 1! [ 45.834627] PCI BIOS passed nonexistent PCI bus 0! [ 45.834631] PCI: No IRQ known for interrupt pin A of device 0000:01:08.0. Probably buggy MP table.
One of the standard pieces of advice for dealing with ACPI problems, which seem tobe particularly bad on laptops, is to update the BIOS, but HP only produced one version for the XE310, so that was out. Some Googling eventually found a workaround, which is to tell the Linux kernel to abandon ACPI for some purposes by adding pci=noacpi to the end of the kernel boot line in /boot/grub/menu.lst.
This was a bit of a disappointing start. ACPI is obviously pretty nasty, but Ubuntu couldn’t even hint at what the problem was, it just couldn’t network. I had to read the log files and do something pretty obscure to get my hardware to work.
The next step was to set up static routing tables to tell the system what networks it was connected to. One Ethernet port talks to the DSL modem, and the other to the household net. The network IP numbers could be arbitrary RFC1918 addresses, as long as the DSL modem would work with them. It was set up to use 192.168.1.1, so I made its network 192.168.1.0, assigned the household net to 10.11.12.0 and set up /etc/network/interfaces as:
# The external network interface auto eth0 iface eth0 inet static address 192.168.1.32 network 192.168.1.0 netmask 255.255.255.0 gateway 192.168.1.1 # The local network interface auto eth1 iface eth1 inet static address 10.11.12.1 network 10.11.12.0 netmask 255.255.255.0
I also needed to tell the system where to get DNS services, which was a matter of entering my ISP’s nameserver addresses into /etc/resolv.conf
nameserver 127.0.0.1 nameserver 18.104.22.168 nameserver 22.214.171.124
Having done this and restarted, the Internet was immediately visible, and the process of installing packages could begin.The machine could also be deprived of its keyboard and monitor and stuffed in the cupboard, because from here on everything can be done by logging into it over ssh from my Mac.
I’ll split this post into at least two parts, so installing packages will be covered in Ubuntu Part Two, The Gathering.